From 468e4674b8de6ec8a71cdf34fa5b9cb56c22cd4b Mon Sep 17 00:00:00 2001 From: rndmh3ro Date: Mon, 21 Feb 2022 10:02:54 +0100 Subject: [PATCH] debian 9's nginx doesnt support tls1.3 while this could be better solved by checking what nginx version is used, debian9 is eol'd in 4 months. if there will be again a need to check for nginx versions, we'll add it then Signed-off-by: rndmh3ro --- roles/nginx_hardening/defaults/main.yml | 1 - roles/nginx_hardening/tasks/main.yml | 23 +++++++++++++++++++++++ roles/nginx_hardening/vars/Amazon.yml | 2 ++ roles/nginx_hardening/vars/Archlinux.yml | 2 ++ roles/nginx_hardening/vars/Debian.yml | 2 ++ roles/nginx_hardening/vars/Debian_9.yml | 2 ++ roles/nginx_hardening/vars/Fedora.yml | 2 ++ roles/nginx_hardening/vars/RedHat.yml | 2 ++ roles/nginx_hardening/vars/Suse.yml | 2 ++ roles/nginx_hardening/vars/main.yml | 1 - 10 files changed, 37 insertions(+), 2 deletions(-) create mode 100644 roles/nginx_hardening/vars/Amazon.yml create mode 100644 roles/nginx_hardening/vars/Archlinux.yml create mode 100644 roles/nginx_hardening/vars/Debian.yml create mode 100644 roles/nginx_hardening/vars/Debian_9.yml create mode 100644 roles/nginx_hardening/vars/Fedora.yml create mode 100644 roles/nginx_hardening/vars/RedHat.yml create mode 100644 roles/nginx_hardening/vars/Suse.yml delete mode 100644 roles/nginx_hardening/vars/main.yml diff --git a/roles/nginx_hardening/defaults/main.yml b/roles/nginx_hardening/defaults/main.yml index fd1219923..8b5448953 100644 --- a/roles/nginx_hardening/defaults/main.yml +++ b/roles/nginx_hardening/defaults/main.yml @@ -23,7 +23,6 @@ nginx_add_header: nginx_set_cookie_flag: "* HttpOnly secure" nginx_ssl_prefer_server_ciphers: "on" -nginx_ssl_protocols: "TLSv1.2 TLSv1.3" nginx_ssl_ciphers: "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256" nginx_ssl_session_tickets: "off" nginx_dh_size: "4096" diff --git a/roles/nginx_hardening/tasks/main.yml b/roles/nginx_hardening/tasks/main.yml index aa06d0058..a0b957566 100644 --- a/roles/nginx_hardening/tasks/main.yml +++ b/roles/nginx_hardening/tasks/main.yml @@ -1,4 +1,27 @@ --- +- name: Fetch OS dependent variables + include_vars: + file: '{{ item }}' + name: 'os_vars' + with_first_found: + - files: + - '{{ ansible_facts.distribution }}_{{ ansible_facts.distribution_major_version }}.yml' + - '{{ ansible_facts.distribution }}.yml' + - '{{ ansible_facts.os_family }}_{{ ansible_facts.distribution_major_version }}.yml' + - '{{ ansible_facts.os_family }}.yml' + skip: true + tags: always + +# we only override variables with our default, if they have not been specified already +# by default the lookup functions finds all varnames containing the string, therefore +# we add ^ and $ to denote start and end of string, so this returns only exact matches +- name: Set OS dependent variables, if not already defined by user # noqa var-naming + set_fact: + '{{ item.key }}': '{{ item.value }}' + when: "not lookup('varnames', '^' + item.key + '$')" + with_dict: '{{ os_vars }}' + tags: always + - name: Create additional configuration template: src: "hardening.conf.j2" diff --git a/roles/nginx_hardening/vars/Amazon.yml b/roles/nginx_hardening/vars/Amazon.yml new file mode 100644 index 000000000..928c30d5c --- /dev/null +++ b/roles/nginx_hardening/vars/Amazon.yml @@ -0,0 +1,2 @@ +--- +nginx_ssl_protocols: "TLSv1.2 TLSv1.3" diff --git a/roles/nginx_hardening/vars/Archlinux.yml b/roles/nginx_hardening/vars/Archlinux.yml new file mode 100644 index 000000000..928c30d5c --- /dev/null +++ b/roles/nginx_hardening/vars/Archlinux.yml @@ -0,0 +1,2 @@ +--- +nginx_ssl_protocols: "TLSv1.2 TLSv1.3" diff --git a/roles/nginx_hardening/vars/Debian.yml b/roles/nginx_hardening/vars/Debian.yml new file mode 100644 index 000000000..928c30d5c --- /dev/null +++ b/roles/nginx_hardening/vars/Debian.yml @@ -0,0 +1,2 @@ +--- +nginx_ssl_protocols: "TLSv1.2 TLSv1.3" diff --git a/roles/nginx_hardening/vars/Debian_9.yml b/roles/nginx_hardening/vars/Debian_9.yml new file mode 100644 index 000000000..7a1446898 --- /dev/null +++ b/roles/nginx_hardening/vars/Debian_9.yml @@ -0,0 +1,2 @@ +--- +nginx_ssl_protocols: "TLSv1.2" diff --git a/roles/nginx_hardening/vars/Fedora.yml b/roles/nginx_hardening/vars/Fedora.yml new file mode 100644 index 000000000..928c30d5c --- /dev/null +++ b/roles/nginx_hardening/vars/Fedora.yml @@ -0,0 +1,2 @@ +--- +nginx_ssl_protocols: "TLSv1.2 TLSv1.3" diff --git a/roles/nginx_hardening/vars/RedHat.yml b/roles/nginx_hardening/vars/RedHat.yml new file mode 100644 index 000000000..928c30d5c --- /dev/null +++ b/roles/nginx_hardening/vars/RedHat.yml @@ -0,0 +1,2 @@ +--- +nginx_ssl_protocols: "TLSv1.2 TLSv1.3" diff --git a/roles/nginx_hardening/vars/Suse.yml b/roles/nginx_hardening/vars/Suse.yml new file mode 100644 index 000000000..928c30d5c --- /dev/null +++ b/roles/nginx_hardening/vars/Suse.yml @@ -0,0 +1,2 @@ +--- +nginx_ssl_protocols: "TLSv1.2 TLSv1.3" diff --git a/roles/nginx_hardening/vars/main.yml b/roles/nginx_hardening/vars/main.yml deleted file mode 100644 index ed97d539c..000000000 --- a/roles/nginx_hardening/vars/main.yml +++ /dev/null @@ -1 +0,0 @@ ----